Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed Vulnerability: Disabling or not configuring this setting can compromise security as it may allow a malicious agent to reverse engineer a password that is not managed. Counter Measure: Enable this setting. Potential Impact: Local administrator passwords are changed as managed. Fix: (1) GPO: Computer ConfigurationAdministrative TemplatesLAPSEnable local admin password management (2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoft ServicesAdmPwd!AdmPwdEnabled

[enable/disable]

(1) GPO: Computer Configuration\Administrative Templates\LAPS\Enable local admin password management (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd!AdmPwdEnabled